fix(search-api): set max page size to 100 for auth, 25 for guest

slint · slint · commit 917b5c6996d3 · 2025-11-24T17:52:15.000+01:00
diff --git a/site/tests/test_search.py b/site/tests/test_search.py
@@ -0,0 +1,61 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2025 CERN.
+#
+# ZenodoRDM is free software; you can redistribute it and/or modify it
+# under the terms of the MIT License; see LICENSE file for more details.
+
+"""Test search API page size validation."""
+
+import pytest
+
+
+@pytest.fixture
+def search_url(test_app):
+    """Search API URL."""
+    host = test_app.config["SITE_API_URL"]
+    return f"{host}/records"
+
+
+def test_guest_page_size_validation(client, search_url):
+    """Guest users limited to 25 results per page."""
+    # Guest: size=25 works
+    res = client.get(f"{search_url}?size=25")
+    assert res.status_code == 200
+
+    # Guest: size=26 exceeds limit
+    res = client.get(f"{search_url}?size=26")
+    assert res.status_code == 400
+    assert res.json == {
+        "status": 400,
+        "message": "A validation error occurred.",
+        "errors": [
+            {
+                "field": "size",
+                "messages": [
+                    "Page size cannot be greater than 25. Please use authenticated requests to increase the limit to 100."
+                ],
+            }
+        ],
+    }
+
+
+def test_authenticated_page_size_validation(client_with_login, search_url):
+    """Authenticated users limited to 100 results per page."""
+    # Auth: size=100 works
+    res = client_with_login.get(f"{search_url}?size=100")
+    assert res.status_code == 200
+
+    # Auth: size=101 exceeds limit
+    res = client_with_login.get(f"{search_url}?size=101")
+    assert res.status_code == 400
+    assert res.json == {
+        "status": 400,
+        "message": "A validation error occurred.",
+        "errors": [
+            {
+                "field": "size",
+                "messages": ["Page size cannot be greater than 100."],
+            }
+        ],
+    }
diff --git a/site/zenodo_rdm/params.py b/site/zenodo_rdm/params.py
@@ -14,7 +14,7 @@
 from invenio_rdm_records.resources.config import RDMSearchRequestArgsSchema
 from invenio_rdm_records.services.config import RDMSearchOptions
 from invenio_records_resources.services.records.params.base import ParamInterpreter
-from marshmallow import fields, pre_load
+from marshmallow import ValidationError, fields, pre_load, validates
 
 
 class LegacyAllVersionsParam(ParamInterpreter):
@@ -101,12 +101,23 @@ class ZenodoArgsSchema(RDMSearchRequestArgsSchema):
     type = fields.String()
     subtype = fields.String()
 
-    @property
-    def max_page_size(self):
-        """Max page size depending on user authentication."""
+    MAX_PAGE_SIZE_AUTHENTICATED = 100
+    MAX_PAGE_SIZE_GUEST = 25
+
+    @validates("size")
+    def validate_max_page_size(self, value):
+        """Validate maximum page size based on user authentication."""
         if request and current_user.is_authenticated:
-            return 200
-        return 100
+            if value > self.MAX_PAGE_SIZE_AUTHENTICATED:
+                raise ValidationError(
+                    f"Page size cannot be greater than {self.MAX_PAGE_SIZE_AUTHENTICATED}."
+                )
+        else:
+            if value > self.MAX_PAGE_SIZE_GUEST:
+                raise ValidationError(
+                    f"Page size cannot be greater than {self.MAX_PAGE_SIZE_GUEST}. "
+                    f"Please use authenticated requests to increase the limit to {self.MAX_PAGE_SIZE_AUTHENTICATED}."
+                )
 
     @pre_load
     def load_all_versions(self, data, **kwargs):
